Senators: Don't make a federal case out of all cyber crimes

By William Jackson

Sep 07, 2011

Leaders of the Senate Judiciary Committee agree that the Cyber Fraud and Abuse Act must be brought into line with evolving online threats, but they expressed concerns during a Sept. 7 hearing that the administration might be overreaching in criminalizing some online behavior.

“We can’t ignore these threats,” Chairman Patrick Leahy (D-Vt.) said in his opening remarks. But he cautioned later that “we want to concentrate on the real cyber crimes” and not turn minor violations of service agreements into federal crimes.

Leahy and ranking Republican Chuck Grassley of Iowa also were uneasy about a legislative proposal that would impose minimum sentences for anyone convicted of attacks or attempted attacks on critical infrastructure. Leahy said he would not recommend including minimum sentences in a cybersecurity bill now before his committee.

The hearing focused on proposed cybersecurity legislation offered by the Obama administration in May that also would update the Cyber Fraud and Abuse Act that now covers many online crimes. The goals of the proposal are to keep CFAA technology-neutral so it would remain viable as technology evolves and to bring federal law dealing with online crime into line with laws covering crime in the physical world.

The proposed legislation would make it clear that the Racketeering Influenced and Corrupt Organization Act, a major law enforcement tool against organized crime, applies to CFAA offenses.

“The fight against organized crime is far from over; rather, much of the focus has moved online,” Associate Deputy Attorney General James Baker told the committee.

Some penalties for CFAA violations also would be increased. For instance, currently wire fraud can carry a sentence of 20 years, while a similar crime prosecuted under CFAA carries only a five-year sentence. “This discrepancy makes no sense,” Baker said.

Senators did not object to this but were concerned that attacks on critical infrastructure would be treated differently from other crimes, requiring a three-year minimum sentence.

Baker defended the proposal, saying “In light of the grave risk posed by those who might compromise our critical infrastructure, even an unsuccessful attempt at damaging our nation’s critical infrastructure merits actual imprisonment of a term not less than three years — not probation, intermittent confinement, community confinement or home detention.”

Another bone of contention was the interpretation of laws against exceeding authorized access to online devices and resources. Although the law usually is enforced against hackers who break into another person’s computer, it also could be interpreted as criminalizing any breach of a service agreement between a consumer and a service provider, or between an employee and employer.

“Some have argued that the definition of ‘exceeds authorized access’ in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider,” Baker said. “We appreciate this view, but we are concerned that that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution.”

Without this authority, federal authorities could be powerless to prosecute some employees for stealing confidential information in the workplace, Baker said.

Sen. Sheldon Whitehouse (D-R.I.) said the Justice Department needed to make a clear statement that it was not department policy to prosecute violations of service agreements.

“I don’t think that there has ever been a society so bedeviled by fine print in contracts as America is now,” Whitehouse said, adding that the specter of federal enforcement of fine print could only make this worse.

Baker said the department had used the “authorized access” law responsibly and is willing to rely on the committee’s oversight to help define how it should be used. “What we’re trying to do is address these concerns and at the same time not let somebody off the hook.”

One other issue of concern, which Whitehouse called “the elephant in the room,” was the ability to enforce any new cyber crime legislation when law enforcement resources already are stretched thin.

Both the Justice Department and the Secret Service, which also pursues online crime, are beefing up their capabilities. Pablo Martinez, deputy special agent in charge of the service’s Criminal Investigative Division, said 1,400 special agents have received in-depth computer crime training as part of the Electronic Crimes Special Agent Program, and that all incoming agents now go through a two to three-week course of cyber training in the service’s academy.

Baker said the Justice Department now has 230 prosecutors dedicated to cyber crimes and a classified number of investigators also working in that field.

“We can always use more resources,” he said. The department asked for an additional 160 people in its 2011 budget request.